5 THE SCHOOL DISTRICT OF LUNG CHIU, CIG, CPA SCHOOL BOARD PALM BEACH COUNTY, FLORIDA INSPECTOR GENERAL CHUCK SHAW, CHAIRMAN FRANK A. BARBIERI, JR, ESQ., VICE CHAIRMAN OFFICE OF INSPECTOR GENERAL MARCIA ANDREWS 3318 FOREST HILL BLVD., C-306 KAREN M. BRILL WEST PALM BEACH, FL JENNIFER PRIOR BROWN, ESQ. MICHAEL MURGIO (561) FAX: (561) DEBRA L. ROBINSON, M.D. E. WAYNE GENT, SUPERINTENDENT M E M O R A N D U M TO: FROM: Honorable Chair and Members of the School Board E. Wayne Gent, Superintendent of Schools Chair and Members of Audit Committee Lung Chiu, CPA, Inspector General DATE: April 11, 2014 SUBJECT: Audit of District s Information Technology Disaster Recovery Plan PURPOSE AND AUTHORITY Pursuant to the District s Audit Plan of , we have audited the District s Information Technology Disaster Recovery Plan. The primary objective of the audit was to assess the adequacy of the District s Information Technology Disaster Recovery Plan for preserving the integrity of data backups and minimizing disruption to the District s operations should disasters occur. SCOPE AND METHODOLOGY The audit was conducted in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. This audit was based on information and records obtained from four departments: (1) IT Infrastructure, System Support & Security, (2) IT Enterprise Applications, (3) IT Technical Operations, and (4) Purchasing. Computer processed data was not used as part of this audit; therefore, we did not assess the reliability of this data. The scope and methodology of this audit included the following areas: Development of the Information Technology Disaster Recovery Plan Plan testing and maintenance of both plans 1

6 Effectiveness of tape backup procedures, testing, and storage facility review Contracts for hot site recovery and tape storage Test results and action plans from hot sites This review also included the review of the following: School Board Policies and District s procedures School Board IT User Standards and Guidelines Manual Florida Statute Section 1. Subsection (3b) and Florida Statute Chapter 1B , Florida Administrative Code Records Management Standards and Requirements Electronic Recordkeeping (11) (b) Florida Agency for Enterprise Information Technology AEIT Rule 71A-1.012, Florida Administrative Code Audit conclusions were brought to the attention of staff during the audit so that necessary corrective actions could be implemented immediately. The draft report was sent to the departments for review and comments. The management response is included in the Appendix. We would like to thank staff for their cooperation and courtesy extended to us during the audit. The final draft report was presented to the Audit Committee at its April 11, 2014, meeting. INFORMATION EXEMPT FROM PUBLIC DISCLOSURE Pursuant to Florida Statute , certain security systems information is exempt from public access and disclosure. Moreover, in accordance with Government Auditing Standards, Section 7.41, information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information As such, this confidential and sensitive information has been excluded or redacted from this report. This information and the related audit findings have been provided to the Chief Operating Officer and Division of Information Technology for review and appropriate corrective actions. BACKGROUND District s Continuity of Operations Plan (COOP). This is a District-wide planning process with the objective of maintaining continuity of the business processes across the District during/after a disaster. Damages to the District could range from data loss due to corrupted data to loss of computer operations and adverse impacts on other District operations from a hurricane, tornado, and fire, etc. 2

7 Business Impact Analysis. As part of the COOP, Service Level Agreements between the business processes and Information Technology are needed to determine which systems should be recovered first within specific timeframes. This requires the completion of a formal Business Impact Analysis which includes an inventory of all computer systems, a cost/benefit risk assessment to identify and include all the critical systems in the backup and disaster recovery arrangement. The Business Impact Analysis also assesses the risk for certain disasters to occur along with the cost to be incurred for the loss of each critical District process and computer system in the event of these disasters. The cost of the loss should always outweigh the cost of restoring the business process as the District does not want to spend more money on a disaster recovery solution than the financial loss or other consequences that would be suffered from a disaster. Critical applications to restore at a recovery facility should be identified in order to minimize the disruption of business operations should disaster occur. Technology Disaster Recovery Plan (DRP). DRP is a component of COOP and can only be successful with full engagement from the departments and schools for input and plan testing. DRP focuses on the continuity of the technology side of the District. Disaster recovery plans should be tested periodically and modifications be made to correct any problems. Overall, the District has established and implemented some parts of DRP. As of January 28, 2014, the District has the following agreements with three vendors for Disaster Recovery (DR) services: Vendor 1: This vendor (in an out-of-state location) provides DR facility for the District s mainframe computer systems, such as the Student TERMS System. The annual cost of this contract during 2013 was about $43,708. Vendor 2: This vendor (in Florida) provides DR facility for the District s enterprise systems such as PeopleSoft (Financial and HR/Payroll) and Educational Data Warehouse (EDW). The annual cost of this contract was approximately $64,306 during Vendor 3: This vendor (in Florida) provides off-site storage of backup tapes for the District s computer systems. Total payment to this vendor during 2013 was approximately $57,044. The District continuously replicates and transmits data for the enterprise systems, such as PeopleSoft, to Vendor 2. Backup tapes of the enterprise systems are also sent to the off-site storage facility with Vendor 3 in case the data transmitted to Vendor 2 is not available for any unforeseen reason. Mainframe data for student information on the TERMS system is also backed up daily on tape and sent to the off-site storage facility managed by Vendor 3. In case of a disaster, the off-site storage facility with Vendor 3 is responsible for sending the mainframe and enterprise systems backup tapes to the two DR sites with Vendor 1 and Vendor 2 respectively. 3

8 CONCLUSIONS The audit produced the following major conclusions. 1. Business Impact Analysis (BIA) Not Performed Continuity of Operations Plan (COOP) is a District-wide planning process. The objective of the plan is to maintain continuity of the business processes in case of a disaster. The Technology Disaster Recovery Plan (DRP) is a subset of the COOP and focuses on the continuity of the technology side of the District in order to support the District s schools and departments during a disaster. COOP is a sound business practice which should help to assure the District s survival in the event of a disaster. A Business Continuity Plan (referred to as the Continuity of Operations Plan (COOP) at the School District) is required by Florida Statutes (3)(b) for Palm Beach County and all state agencies. Specifically, the statute states: The plan must include, at a minimum, the following elements: identification of essential functions, programs, and personnel; procedures to implement the plan and personnel notification and accountability; delegations of authority and lines of succession; identification of alternative facilities and related infrastructure, including those for communications; identification and protection of vital records and databases; and schedules and procedures for periodic tests, training, and exercises. The District is part of the local government and submitted a copy of its COOP version to Palm Beach County Office of Emergency Management in A second COOP draft version was started in October 2011 but had not been completed. Both the 2010 version and the 2011 draft require more involvement, feedback, testing and written approval from departments, schools, and senior management. Although a COOP requires the District to conduct a Business Impact Analysis (BIA), we found no evidence of such analysis by the District. The BIA should include an inventory of all computer systems in the School District and a cost/benefit risk assessment to identify and include all the critical systems in the backup and disaster recovery arrangement. The analysis should also include critical business processes, their associated downtime, and the risks to be incurred in the event of a disaster. These risks should justify the required availability of the processes and the related IT systems that are needed to support the processes. General services needed for schools/departments in an emergency were found in the Continuity of Operations Plan; however, the Business Impact Analysis was not performed. Also, the Internal Service Level Agreements with detailed requirements about system name, and system availability were not completed and implemented between the schools/ departments and Information Technology. It did appear that Information Technology attempted to obtain this information, but no input was received from the business side. Consequently, there is no assurance that the Information Technology is aware of the availability requirements of the business operations. 4

9 In the absence of a Business Impact Analysis, which should include an inventory of all computer systems and a risk assessment, there are increased risks that some critical applications will not be appropriately defined and included in the Disaster Recovery Plan. Consequently, the District may not be fully prepared for disasters because not all the applications are included in the Technology Disaster Recovery Plan. As indicated in the District Technology Plan, work is still needed on further completion of the Continuity of Operations Plan. Recommendation A formal Business Impact Analysis should be conducted by the business/applications sides to inventory all computer systems, confirm the identification of critical processes and applications, and to further confirm that the identified Recovery Time Objectives (Tiers I, II, and III) remain appropriate and relevant as noted in the draft COOP. Management s Response: The District's COOP plan was first approved and submitted to Palm Beach County Office of Emergency Management in The District initiated a review/revision of the COOP plan in 2013 with a final version being submitted to Palm Beach County office of Emergency Management in December The final COOP plan was approved by senior management as well as appropriate department leaders. The District developed an Essential Systems document that was reviewed and approved by management in IT will work with Operational and Academic divisions to update/revise the Essential Systems Documents and develop a full functioning Business Impact Analysis (BIA) which will include critical business processes, financial, operational and instructional risks to be incurred in the event of a disaster. (Please see page 13.) 2. Disaster Recovery Plans Not Fully Tested Disaster Recovery Plan testing allows users to test procedures and detect errors or gaps. Agency for Enterprise Information Technology Florida Administrative Code, AEIT Rule 71A-1.012(5) requires annual testing of the technology disaster recovery plans. Specifically, Information Technology Disaster Recovery Plans shall be tested at least annually; results of the annual exercise shall document those plan procedures that were successful and modifications required to correct the plan. Regular testing of the Technology Disaster Recovery Plan will ensure that: 1. The plans are updated. Both technical and functional tests need to be performed which requires resources for preparation time, reporting test results, and implementing an action plan. 2. Problems encountered are discussed. 5

10 3. Critical systems can be recovered and addressed. However, the District s Disaster Recovery Plan does not require periodic testing. The District should ensure the system and data are restored within time frames the district has defined in the Business Impact Analysis. The functional team should ensure that the processes on the test plans for TERMS student information and PeopleSoft Financial and HR/Payroll, etc. are successful. We noticed that the functional team has not tested the PeopleSoft Financials and HR/Payroll business processes since July 2010, over three years ago. Also, functional testing for mainframe TERMS student information was last tested in July 2011 at the DR facility with Vendor 1, over two years ago. Moreover, lessons learned and action plans from testing sessions were not consistently documented and made available for management use. Consequently, potential problems detected during testing will not be addressed in the plan. When a disaster recovery plan is not tested regularly, there is an increased risk that restoration of technology operations could be delayed in the event of a disaster. Recommendation The District should: Incorporate an annual testing of the enterprise systems (PeopleSoft) and Student TERMS System at the disaster recovery facilities, as part of the District s Disaster Recovery Plan (DRP) to identify and address any weaknesses. Restoration of backup tapes should also be part of this annual testing. Document and learn from DRP testing and address issues accordingly. Management s Response: A DR Functional and Technical test was performed at Vendor 1 site in December 2013 for the TERMS system. All associated documentation and restoration of backup tapes were completed. IT has scheduled the annual TERMS DR functional and technical test at the District's Disaster Recovery facility (Vendor 1) for July Restoration of backup tapes are included in the DR process. This process will continue annually. PeopleSoft functional DR testing: The PeopleSoft Team along with the business users will perform annual DR functional and technical tests through virtual connections to Vendor 2 on key business functions. (Please see page 13.) 6

11 3. Temperature and Humidity Requirements at Off-Site Tape Storage Facility Did Not Meet Specifications We visited the off-site storage facility with Vendor 3 on June 20, During the visit, we observed that the temperature of the media vault was 72.3 degrees Fahrenheit and the humidity was 42%. There was no automatic temperature monitoring or redundant power system to run the air conditioners for the vault. Consequently, there was no assurance that the air conditioning was functioning properly. The School District s Request For Proposal (RFP) No. 09C-004L for the off-site tape storage facility states: In compliance with Florida Statute these storage areas shall also be temperature and humidity controlled at all times and shall be physically separated from the paper records storage areas. As specified in Chapter 1B , Florida Administrative Code.., the temperature for such storage areas shall be maintained below 68 degrees Fahrenheit and the relative humidity controls shall remain between 20 and 30%. Also, page 82 Electronic Media and Archival Storage Environment of the RFP states, The storage area shall include storage racks, fire suppressant systems (nonliquid), and alarm systems. The successful proposer shall store media in a facility that meets the county commercial building codes and hurricane standards in which the facility is located. During our visit, we noted a log located outside the media vault which indicated that the fire suppression system was installed for the off-site tape media vault. However, the log indicated the system was not tested since January 19, 2009, which also appeared to be the installation date of the system. Inspections for this type of system should occur every six months, according to a manual for that same system. The environment and safety controls for the media room should be properly maintained to ensure the integrity of the data on the tapes, and the restoration of backup of critical District data will not be compromised. Recommendation We recommend the following issues be addressed at the current off-site tape media vault location: The media vault temperature and humidity be maintained properly. The vault should also be installed with the device for monitoring the temperature and humidity, and instant redundant power supply for air conditioning. There should be proper inspections of fire suppression systems. 7

12 The temperature and humidity monitoring system for the vault and an instant redundant power supply for air conditioning, fire, etc. should be a part of requirements for future Request for Proposal. Management s Response: IT has been in communication with Vendor 3 including a surprise visit to see that related inadequacies were also corrected. Additionally, IT will work with experts in the field environmental control from District facilities management and establish a process for future inspections. Future competitive solicitation documents will include the requirements for remote monitoring of temperature and humidity and redundant power supply subject to cost considerations and fiscal responsibility. (Please see page 14.) 4. Back-up Tapes May Not Arrive at Designated Off-site Location The mainframe tapes containing TERMS student information and the District enterprise system tapes with PeopleSoft and EDW data, etc. are rotated daily to the designated off-site storage facility with Vendor 3. The business systems backup tape is an additional safeguard implemented by the Information Technology Department in case the data continuously transmitted to Vendor 2 is somehow corrupted in a disaster. We tested 13 backup tapes sent to the off-site media storage vault for a period of two days (June 17 and 18, 2013) and noted that two of the tapes (tape # and tape #400475L4) for June 17, 2013, were not received by the off-site truck driver, and therefore were never sent to the off-site vault as presumed by District s IT staff. The above enterprise system and mainframe tapes would not be available to restore critical District data if a disaster occurred at the District. There were no written procedures to ensure that all tapes scheduled to be shipped to the designated off-site storage facility with Vendor 3 arrived at the storage site. IT staff later stated that the tapes might not have been given to the driver and has since documented procedures to correct this issue. Recommendation Information Technology should develop procedures to ensure that all backup tapes scheduled for delivery arrive at the off-site storage facility for proper storage. Management s Response: The tapes identified in the finding were not from the TERMS or the Mainframe systems. Therefore, the District was not at risk with the TERMS or the Mainframe systems as stated in the finding. The tapes identified in the audit are from the secondary (redundant) backup of the enterprise system pool of PeopleSoft and EDW database as per the data below from the tape backup 8

13 log. The primary backup of the enterprise system pool database is conducted by continuous electronic transmission to Vendor 2 The District IT staff monitors that transmission to ensure data integrity. However, we have taken steps with our internal and vendor processes to ensure that all tapes are accounted for and delivered in a timely fashion to Vendor 3. The data submitted earlier showed the tapes to be TSM server (non-mainframe) tapes. (Please see page 14.) 5. Technology Disaster Recovery Plan Needs Improvement The Disaster Recovery Plan (DRP) should support the business strategy outlined in the Continuity Operation Plan and contain a prioritized recovery strategy. While work has been performed on the Disaster Recovery Plan (DRP) and includes critical applications, the framework is not yet fully implemented. Specifically, The District has assigned only one employee the task of administering the DRP activities, among their numerous other duties. There is no evidence that the DRP was adopted by the School District, and therefore may not meet the needs. There is no DRP versioning process to ensure that the plan is kept up-to-date and indicate possible changes in procedures and responsibilities which should be communicated to all responsible parties. Without these procedures, there is no assurance all items in the plan are current. Moreover, there is no evidence of when the last review of the Disaster Recovery Plan occurred. The Technology Department should review the plan annually and make necessary adjustments. Technology employees utilize a SharePoint site to access the DRP, which increases the risk that the DRP will not be readily available should the SharePoint site not be accessible in a disaster. Internal Service Level Agreements with detailed requirements about system availability have not been completed and implemented between the Technology Department and the schools/departments. This increases the risk that the Technology Department may not be aware of the availability requirements of the business side. Recommendation To ensure the DRP is readily available in a disaster and meets the business requirements for recovery times and priorities, the, District should: Know who are the employees currently assigned to the DRP program. 9

14 Ensure that the DRP is reviewed and formally adopted. The same employees who sign the internal Service Levels Agreements detailing system availability requirements should sign the DRP. Implement procedures to certify all DRP documents are formally reviewed and approved by application users and updated at least annually. Ensure that the DRP is also in a format other than SharePoint and distributed to appropriate employees. Staff at the recovery facilities should have access to DRP documents. Ensure formal Service Level Agreements with detailed requirements about system availability be implemented between IT and schools and departments. Management s Response: We concur with the finding that IT has inadequate staffing levels to support the audit s detailed recommendations. Flash Drives for the DR plan have been purchased and are being distributed to respective stakeholders. (Please see page 14.) 6. Procedures for Off-Site Tapes to Designated Recovery Sites Needs Enhancement The District has contracts for two disaster recovery facilities: Vendor 1: This vendor (in an out-of-state location) provides DR facility for the District s mainframe computer systems, such as the Student TERMS System. Vendor 2: This vendor (in Florida) provides DR facility for the District enterprise systems such as PeopleSoft (Financial and HR/Payroll) and Educational Data Warehouse (EDW). However, there are no written procedures from the District for the designated off-site storage facility with Vendor 3 to automatically ship the tapes to the disaster recovery facilities in the event of an emergency, without input from the District s IT Division. For prior mainframe disaster recovery tests, District IT staff notified the off-site tape storage facility with Vendor 3 of the tape numbers and Vendor 1 s address to ship the tapes to. However, if IT staff is unable to provide the off-site tape facility with the exact tape numbers and address, no backup tapes would be shipped to the designated recovery facilities in the event of a disaster. Recommendation The District should develop and implement procedures to ensure that management at the offsite storage facility with Vendor 3 ships the appropriate tapes to the designated recovery addresses in the event of an emergency. 10

Mid-Year Review Of Internal Funds for Four Schools April 10, 2015 Report #2015-05 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education with excellence

Audit of Workers Compensation Program October 23, 2014 Report #2014-06 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education with excellence and equity

Audit of Inventory Controls at Transportation Services Department November 16, 2012 Report #2012-16 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education

Follow-up Audit of Fees Paid to Construction Managers June 11, 2015 Report #2015-07 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education with excellence

Special Audit of Addison Mizner Elementary School s SACC Fieldtrips April 16, 2010 Report #2010-04 MISSION STATEMENT The School Board of Palm Beach County is committed to excellence in education and preparation

Audit of Software Inventory Procedures April 22, 2003 Report 2003-8 MISSIONSTATEMENT The School Board of Palm Beach County is committed to excellence in education and preparation of all our students with

Page 2 of 10 Scope and Objectives We reviewed the backup and disaster recovery processes utilized by DOH for information applications/systems managed by IT over the last three years. This review included

Audit of Information Technology Help Desk October 10,2003 Report 2003-15 MISSIONSTATEMENT The School Board of Palm Beach County is committed to excellence in education and preparation ofall our students

New Jersey State Legislature Office of Legislative Services Office of the State Auditor Office of Information Technology E-Government Services February 13, 2001 to November 21, 2001 Richard L. Fair State

Vital Records Mary Hilliard, CRM Background Vital records of an organization must be identified so they can be protected Protection of vital records is a joint effort of records management and disaster

AUDITOR GENERAL WILLIAM O. MONROE, CPA HILLSBOROUGH COUNTY DISTRICT SCHOOL BOARD LAWSON FINANCIALS MODULE Information Technology Audit SUMMARY To support its financial management needs, the Hillsborough

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the HIPAA Security rule: Contingency planning and evaluation.

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No. 06-08, August 14, 2006 INTRODUCTION This report presents the results of the Office of Inspector General s evaluation of the

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Disaster Recovery Testing Is Being Adequately Performed, but Problem Reporting and Tracking Can Be Improved May 3, 2012 Reference Number: 2012-20-041 This

Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more

Audit of G-Star School of the Arts For Motion Pictures and Television September 14, 2007 Report 2007-11 Audit of G-Star School of the Arts for Motion Pictures and Television Table of Contents PURPOSE AND

HOW TO CREATE A VITAL RECORDS PROTECTION PLAN New York State Unified Court System Division of Court Operations Office of Records Management June 2003 TABLE OF CONTENTS Purpose of a Vital Records Protection

Audit of Boca Raton Middle School's Community School Program November 12,2004 Report 2004-15 MISSIONSTATEMENT The School Board of Palm Beach County is committed to excellence in education and preparation

November 2015 Information Technology Operational Audit UNIVERSITY OF SOUTH FLORIDA Data Center Sherrill F. Norman, CPA Auditor General Board of Trustees and President Members of the University of South

STATE OF NORTH CAROLINA UNC-GENERAL ADMINISTRATION BANNER HOSTING SERVICES DECEMBER 2013 INFORMATION TECHNOLOGY GENERAL CONTROLS PERFORMANCE AUDIT OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

Audit of Information Technology Disaster Recovery March 11, 2005 Report 2005-05 MISSION STATEMENT The School Board of Palm Beach County is committed to excellence in education and preparation of all our

U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098

INTERNAL AUDIT DIVISION AUDIT REPORT Audit of the Riskmetrics system in the Investment Management Division of UNJSPF Overall results relating to the effective implementation of the Riskmetrics system were

A REPORT TO THE ARIZONA LEGISLATURE Financial Audit Division Single Audit Coconino County Community College District Year Ended June 30, 2015 Debra K. Davenport Auditor General The Auditor General is appointed

The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

Massachusetts Institute of Technology Functional Area Recovery Management Team Plan Development Template Public Distribution Version For further information, contact: Jerry Isaacson MIT Information Security

Audit of System Backup and Recovery Controls for the City of Milwaukee Datacenters MARTIN MATSON City Comptroller AYCHA SIRVANCI, CPA Audit Manager City of Milwaukee, Wisconsin July 2014 TABLE OF CONTENTS

MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters

Disaster Recovery Plan Florida-Bahamas Synod of the Evangelical Lutheran Church in America April 4, 2014 The Florida-Bahamas Synod gratefully acknowledges the model and selected text from "Administrative

The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation

Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?

Disaster Recovery 101 Sudarshan Ranganath & Matthew Phillips Ellucian SESSION OBJECTIVES Business continuity is critical to every institution and its IT organization. How do you set up your ERP and other

911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint

AUDITING A BCP PLAN Thomas Bronack Auditing a BCP Plan presentation Page: 1 What are the Objectives of a Good BCP Plan Protect employees Restore critical business processes or functions to minimize the

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine